Ford ECU Security Access Bruterforcer

[jakka]

I have created a J2534 Tool for Bruteforcing 0X27 Security Access on Ford modules. Haven't implemented FEPS yet, so it will not work on a PCM, but other modules it will. Uses the keybag from the Ford hack and bruteforces service 0x27 with those keys and some others. Used an OBDxPro FT interface so that will definetly work with this.

https://github.com/jakka351/Ford-ECU-Bruteforcer

Ford ECU Bruteforcer.exe

(435.5 KiB) Downloaded 40 times

[darkman5001]

This is awesome. Great work and thanks for sharing.

[Gatecrasher]

There's some Python seed-key code included with the same research paper. It came up with the same key result as Forscan when I tested it against my 2018 instrument cluster. I need to test it against a few other modules in my truck.

It's also pretty easy to get the secrets from the module firmware. At least the PPC based ones. I pulled the secret bytes from an 18 IPC, 17 BCM, and 17 gateway. The code was virtually identical in all three modules, despite coming from different suppliers. They were also stored in a contiguous block in all three modules. So if you can brute force level 1 for example, you can probably find the other levels with a simple search in a hex editor.

It's also possible to get some of the secret bytes if you know how to decrypt the IDS XML files. At least for modules that don't use the so-called "crypto algo". I think that just refers to how the secrets are stored in IDS. Because my IPC is one of those modules, and it uses the same old security algo for 27 01 and 27 03 in the actual module.

[VX L67 Getrag]

WOW this is a pretty cool tool, I've never had the need for it but I'm sure it will come in handy to plenty of people & maybe me someday too!